updating security operations for the cloud - aws symposium 2014 - washington d.c. - partner...

AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014

AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014

Security Features of AWS Services in AWS GovCloud (US)

Alice Rison adeane@amazon.comMark Ryland markry@amazon.com

Mai-Lan Tomsen Bukovec mailan@amazon.comCJ Moses cmoses@amazon.com

AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014

To enable businesses,

governments,

educational

institutions, and

developers to use

web services to build

scalable, sophisticated

applications.

g o v c l o u d

p

c

f e d r a m p

s

s

c

r

i

t

y

t a r

w

3

e

m a

iThe AWS Mission

AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014

AWS GovCloud (US)AWS exclusive government community cloud restricted to vetted U.S. Government and U.S. commercial entities with government oriented and regulated workloads

g o v c l o u d

e

s

c

r

i

t

y

AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014

Compliance Regimes• International Traffic in Arms Regulations (ITAR):

– 3rd Party ITAR attestation letter– US Persons only physical/ logical access– ITAR boundary defined in the AWS GovCloud

Users Guide for all AWS services

• FedRAMP: – FedRAMP Agency ATO with HHS– NIST 800-53 Security Controls– Boundary includes EC2, VPC, IAM, EBS, and S3

f e d r a m p

i

r

t

AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014

Shared Responsibility Model• Security is a shared responsibility model• AWS – responsible for physical security of data centers

through the virtualization level up to the host operating system

• Customers – responsible for building secure applications• AWS services provide you with the features you need to

create a reliable, secure, scalable, highly available and cost-efficient IT system

a w

t

u

c

s

r

m

o

e

AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014

AWS Identity & Access Management• AWS GovCloud (US): the IAM you know and love,

except:– Disjoint principal database– Disjoint resource/ARN namespace (including S3)– No console access for root identity– Challenges for cross-region features

• SAML Federation!• EC2 resource permissions: status and plans

m

a

i

i t r

AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014

Amazon S3 Features• Data confidentiality, integrity, and availability• Data access restricted by default:

– Object: IAM policies, ACLs, Bucket Policies– Log access to buckets and objects

• Plethora of encryption options:– data in transit: FIPS 140-2 validated endpoints in AWS GovCloud (US)

and SSL options– data at rest: 256-bit Advanced Encryption Option (AES-256) with S3

SSE

• Designed for 99.9% availability and up to eleven 9’s of durability• Amazon S3 Versioning’s MFA Delete feature

r

3

t

s

o

a

g

e

AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014

Master Security Group

Amazon S3

Web AppServer

Virtual Private Cloud

Corporate Data center

Slave Security Group

1

1

2

5

7VPN

Gateway

2

3

4

5

6

6

3

4

Store your input and output data in S3 using S3 Server Side Encryption

EMR reads and writes to S3 using httpsEMR creates security groups for the master and slaves. You can configure them to only allow certain ports/IPs

Encrypt data stored on disk (optional)

Encrypt data in transit between nodes (optional)

Launch the cluster in a VPC

7 Connect to your own data center using VPN

Amazon EMR

EMR Cluster

AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014

Amazon EMR Features • EC2 Security Groups• Data is transferred to and from Amazon

S3 using the FIPS validated endpoint• Cluster specific access control• Integration with VPC• Cohesive with data at rest encryption

u

e

s

c

r

i

t

y

me

AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014

Customer’snetwork

AmazonWeb Services

cloud

Secure VPN connection over

the Internet

Subnets

Customer’s isolated AWS

resources

Amazon VPC Architecture

RouterVPN

gateway

Internet

Interne

t

NAT

AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014

Amazon VPC Features• AWS GovCloud (US) – mandatory VPC• Firewall/ Security Groups• Network Access Control Lists• Subnets and Route Tables• Virtual Private Gateways• Internet Gateways

g o v c l o u d

p

c

AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014

Web & Mobile Applications

Big Data & High Performance Computing

Mission Oriented Applications

Disaster Recovery & Archive

Ideal Workloads

AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014

Case Study Organizational Benefits

• The US Centers for Disease Control and Prevention’s (CDC) mission is to improve public health.

• With the BioSense 2.0 program, the CDC is tasked with providing awareness for all health-related threats and to support responses to these threats at the national, state, and local level.

• The CDC re-launched BioSense 2.0 on Amazon Web Services in AWS GovCloud (US) and other Regions using Amazon EC2, Amazon S3, Amazon EMR, and Amazon SES.

• Needing to avoid purchasing expensive hardware and software, the organization turned to AWS for its low cost, pay-per-use model, high availability, as well as security and compliance practices.

• The CDC leveraged service level security features in AWS GovCloud (US) to meet the confidentiality, availability and integrity security controls needed to obtain a FISMA Moderate Level ATO

CDC BioSense 2.0

AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014

Learn More• Security White Papers:

http://aws.amazon.com/security/security-resources/ – AWS Security Overview– AWS Security Best Practices– Securing Data Rest With Encryption– Amazon VPC Connectivity Options– Auditing Security Checklist – Security at Scale: Logging in AWS

• AWS GovCloud (US) User Guide: http://docs.aws.amazon.com/govcloud-us

AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014

Thank You!!http://aws.amazon.com/govcloud-us

g o v c l o u d

p

c

f e d r a m p

s

s

c

r

i

t

y

t a r

w

3

e

m a

i